call and evaluated along with the policy or policies that are attached to the
IAM user whose credentials are used to call

CopyC#

GetFederationToken

.
The passed policy is used to scope down the permissions that are available to
the IAM user, by allowing only a subset of the permissions that are granted to
the IAM user. The passed policy cannot grant more permissions than those granted
to the IAM user. The final permissions for the federated user are the most restrictive
set based on the intersection of the passed policy and the IAM user policy.

If you do not pass a policy, the resulting temporary security credentials have no
effective permissions. The only exception is when the temporary security credentials
are used to access a resource that has a resource-based policy that specifically
allows the federated user to access the resource.